FTI Technology’s digital forensics expert David Freskos shared some insights on current issues with location-based services, and what corporations need to consider in today’s landscape.
Q: Pokémon Go appears to be everywhere. As forensic experts, what comes to mind when you think about Pokémon Go or see other geo-location games or services?
Pokémon Go and other similar games and mobile services make use of mobile phone’s location, and leave traces of your location on the device, which can have potential implications. One of the things we’re starting to see people do in response to this is to spoof their location, where they modify their mobile device to make it appear to be in a different location than it actually is.
In the example of Pokémon Go, a user could do this to capture Pokémon without actually having to go to those locations. While this may seem benign for a game like this, the same tactic can be used for other reasons, and can cause some serious problems when user location information becomes evidence for legal or regulatory reasons.
Q: What are some of the other reasons why someone would want to spoof their location?
The primary reason is to access systems or services that are restricted to specific geographies or countries. Beyond Pokémon Go, the NBC Olympics streaming app provides another timely example. Streaming Olympics coverage from NBC is not available outside the U.S.; but someone in another country may spoof their location to make it appear that they are in the U.S., giving them access to restricted broadcasts.
Similarly, Major League Baseball restricts streaming access to games being played locally, to encourage people to either attend the game or view it via the local TV station. If someone in Chicago wanted to watch the White Sox or Cubs play a home game via the streaming service, they could spoof their location to show they are in a different state and gain access to the game. We’ve also heard many cases of employees being sent overseas from the U.S. for work, and spoofing their location so they can continue to access their U.S. Netflix accounts.
Q: How hard is it to do?
Location spoofing is actually pretty easy, and there are resources all over the Internet that give instructions for how to do it—both for mobile devices and traditional computers such as laptops and desktops which don’t typically have GPS technology, but often show online service providers their location through IP addresses.
One common tactic for the iPhone is to ‘jailbreak’ the phone, which gives the user root level access and strips away the protections that come with the device. Once a phone is jailbroken, there are numerous apps that allow the user to manually change their location. More advanced users can also put their device into ‘dev’ mode, which allows location spoofing as a means to test new software. The process is even easier on Android devices, which simply require users to turn off location gathering information and allow the user to dictate location data to the device.
Corporations that need to regulate user access to services or content based on location can take some basic steps to overcome spoofing. Many currently use IP address verification to identify a user’s location. While this can easily be spoofed as well, some users will inevitably slip up and forget to spoof both their IP and their GPS at some point while they are using an online service.
Q: What can a corporation do to check if someone is spoofing their location?
For mobile devices, GPS information can be checked against an IP address to ensure that both resolve to roughly the same location. If the GPS indicates the phone is in Europe and the IP address resolves to a residential internet service provider in the U.S., there is a pretty good chance the individual is spoofing their GPS. There are also tools that can check to see if devices have been jailbroken, giving corporations yet another way to identify if someone has the capability to spoof their location.
When possible, it is best to check as many different data points as you can. In the example of the NBC Olympics streaming app, not only did it require disclosure of the user’s GPS location, but it also asked users to sign into their residential cable provider’s website as proof that they were eligible for certain content.
Q: Why does location spoofing matter to your clients?
Many corporations offer consumer-facing apps and services that rely on a user’s location. This type of behavior makes it possible for users to get around whatever content the corporation is trying to restrict, and can have negative implications for the business. Gambling sites provide a relevant example – you have people in the U.S. trying to illegally access certain services that aren’t available in their state. An online gambling service could get into serious trouble with U.S. regulators if they don’t take reasonable steps to verify a player’s location.
Corporations – such as NBC or Netflix in the earlier examples – may have contractual requirements to show or not to show certain content – such as movies, TV shows, websites – in certain geographies. These corporations use location data to determine who can and can’t gain access. Location spoofing basically circumvents the security measures, and puts the corporation at risk for contractual or regulatory violations.
Q: Looking ahead, what are the most important considerations regarding this new issue?
People are now using mobile devices more than computers, and forensic examiners can get a much broader scope of information from mobile devices. Location spoofing is a relatively new concern, and is one that will require forensic investigators to be proactive in determining how this behavior can be prevented and detected, or how it may impact a reactive investigation when examining their phone. Most importantly, corporations that have an obligation to restrict access based on location must ensure they have taken reasonable steps to verify their users’ locations and how to proactively guard against location spoofing.